svn commit: r334743 - releng/11.2/sys/netinet
Michael Tuexen
tuexen at FreeBSD.org
Wed Jun 6 22:34:21 UTC 2018
Author: tuexen
Date: Wed Jun 6 22:34:20 2018
New Revision: 334743
URL: https://svnweb.freebsd.org/changeset/base/334743
Log:
MFstable/11 334732:
Don't overflow a buffer if we receive an INIT or INIT-ACK chunk
without a RANDOM parameter but with a CHUNKS or HMAC-ALGO parameter.
Please note that sending this combination violates the specification.
Thanks to Ronald E. Crane for reporting the issue for the userland
stack.
Approved by: re (gjb@)
Modified:
releng/11.2/sys/netinet/sctp_auth.c
releng/11.2/sys/netinet/sctp_pcb.c
Directory Properties:
releng/11.2/ (props changed)
Modified: releng/11.2/sys/netinet/sctp_auth.c
==============================================================================
--- releng/11.2/sys/netinet/sctp_auth.c Wed Jun 6 22:29:21 2018 (r334742)
+++ releng/11.2/sys/netinet/sctp_auth.c Wed Jun 6 22:34:20 2018 (r334743)
@@ -1502,6 +1502,8 @@ sctp_auth_get_cookie_params(struct sctp_tcb *stcb, str
if (p_random != NULL) {
keylen = sizeof(*p_random) + random_len;
memcpy(new_key->key, p_random, keylen);
+ } else {
+ keylen = 0;
}
/* append in the AUTH chunks */
if (chunks != NULL) {
Modified: releng/11.2/sys/netinet/sctp_pcb.c
==============================================================================
--- releng/11.2/sys/netinet/sctp_pcb.c Wed Jun 6 22:29:21 2018 (r334742)
+++ releng/11.2/sys/netinet/sctp_pcb.c Wed Jun 6 22:34:20 2018 (r334743)
@@ -6702,6 +6702,8 @@ next_param:
if (p_random != NULL) {
keylen = sizeof(*p_random) + random_len;
memcpy(new_key->key, p_random, keylen);
+ } else {
+ keylen = 0;
}
/* append in the AUTH chunks */
if (chunks != NULL) {
More information about the svn-src-releng
mailing list